Aruba Instant 6.4.4.4-4.2.3.2 Release Notes
Copyright Copyright 2016 Hewlett Packard Enterprise Development LP Open Source Code This product includes code licensed under the GNU General Public License, the GNU Lesser General Public License, and/or certain other open source licenses. A complete machine-readable copy of the source code corresponding to such code is available upon request. This offer is valid to anyone in receipt of this information and shall expire three years following the date of the final distribution of this product version by Hewlett Packard Enterprise Company. To obtain such source code, send a check or money order in the amount of US $10.00 to: Hewlett-Packard Company Attn: General Counsel 3000 Hanover Street Palo Alto, CA 94304 USA Revision 01 June 2016 Aruba Instant 6.4.4.4-4.2.3.2 Release Notes
Contents Contents 3 Release Overview 5 Contents 5 Contacting Support 5 What's New in this Release 6 Regulatory Domain Updates 6 Resolved Issues in this Release 6 Known Issues and Limitations 7 Known Issue 7 AppRF 7 Limitation 7 No Support for Layer 2 Tunneling Protocol Version 3 (L2TPV3) on Certain Access Points 7 Features and Enhancements in Previous Releases 8 Features and Enhancements 8 802.1X Supplicant Configuration Support for Wired Networks 8 BLE Beacon Management 8 Out of Service Operations 8 Dynamic DNS Registration Support 9 Support for Client Match Feature on IAP-324/325 platforms 9 Configure-Only Mode in AMP 9 Support for Full URL Visibility and AppRF Enhancements 9 Static LACP Configuration Support 9 Per-AP SSID and VLAN 10 New Wired-Containment Knobs for NAT Rogue 10 Configuring Maximum Clients for Radio Profiles 10 Configuring a Custom Port for Speed Test Profiles 10 Aruba Instant 6.4.4.4-4.2.3.2 Release Notes Contents 3
Issues Resolved In Previous Releases 11 Issues Resolved in 6.4.4.4-4.2.3.1 11 Authentication 11 Captive Portal 11 Datapath/Firewall 11 Wi-Fi driver 11 Issues Resolved in 6.4.4.4-4.2.3.0 12 ARM 12 Authentication 12 Captive Portal 12 Datapath/Firewall 13 DHCP Server 13 IAP Platform 13 Mesh 14 STM 14 3G/4G Management 14 4 Contents Aruba Instant 6.4.4.4-4.2.3.2 Release Notes
Chapter 1 Release Overview Aruba Instant 6.4.4.4-4.2.3.2 is a patch release that introduces enhancements and fixes to the issues found in the previous release. For information on upgrading IAPs to the new release version, refer to the Upgrading an IAP topic in the Aruba Instant 6.4.4.4-4.2.3.0 User Guide. Contents What's New in this Release on page 6 lists the regulatory information in Instant 6.4.4.4-4.2.3.2 release. Features and Enhancements in Previous Releases on page 8 describes the features and enhancements in the previous Instant 6.4.4.x-4.2.3.x releases. Issues Resolved In Previous Releases on page 11 describes the issues fixed in the previous Instant 6.4.4.x- 4.2.3.x releases. Known Issues and Limitations on page 7 lists the known issues and limitations identified in the Instant 6.4.4.x-4.2.3.x releases. Contacting Support Main Site Support Site Airheads Social Forums and Knowledge Base North American Telephone International Telephone Software Licensing Site End-of-life Information Security Incident Response Team (SIRT) arubanetworks.com support.arubanetworks.com community.arubanetworks.com 1-800-943-4526 (Toll Free) 1-408-754-1200 arubanetworks.com/support-services/contact-support/ licensing.arubanetworks.com arubanetworks.com/support-services/end-of-life/ Site: arubanetworks.com/support-services/security-bulletins/ Email: sirt@arubanetworks.com Aruba Instant 6.4.4.4-4.2.3.2 Release Notes Release Overview 5
Chapter 2 What's New in this Release This chapter lists the regulatory information applicable to the Aruba Instant 6.4.4.4-4.2.3.2 release. Regulatory Domain Updates The following table lists the DRT file versions supported by Instant 6.4.4.x-4.2.3.x releases: Table 1: DRT Versions Instant Release Version Applicable DRT Version 6.4.4.4-4.2.3.2 1.0_54870 6.4.4.4-4.2.3.1 1.0_54367 6.4.4.4-4.2.3.0 1.0_54079 For a complete list of countries certified with different AP models, see the respective DRT release notes at support.arubanetworks.com. Resolved Issues in this Release There are no issues fixed in the Instant 6.4.4.4-4.2.3.2 release. Aruba Instant 6.4.4.4-4.2.3.2 Release Notes What's New in this Release 6
Chapter 3 Known Issues and Limitations This chapter includes the Known Issues and Limitations identified in the Instant 6.4.4.x-4.2.3.x releases: Known Issue The following known issue was identified in the Instant 6.4.4.4-4.2.3.0 release: AppRF Table 2: AppRF Known Issue 120228 Symptom: The Skype application is not getting blocked when the App enforcement ACL is configured. Scenario: This issue occurs with IAPs that support the App enforcement feature, and is observed in all the IAPs running Instant 6.4.3.1-4.2.0.0 or later versions. Workaround: None. Limitation The following limitation is identified in the Instant 6.4.4.4-4.2.3.1 release: No Support for Layer 2 Tunneling Protocol Version 3 (L2TPV3) on Certain Access Points Starting from Instant 6.4.4.4-4.2.3.1, the L2TPV3 protocol is not supported on certain access points with 16 MB flash memory, such as IAP-104/105, IAP-175, RAP-3, and IAP-134/135. Aruba Instant 6.4.4.4-4.2.3.2 Release Notes Known Issues and Limitations 7
Chapter 4 Features and Enhancements in Previous Releases This chapter describes the features and enhancements introduced in the previous Aruba Instant 6.4.4.x- 4.2.3.x releases. Features and Enhancements This section describes the features and enhancements introduced in Instant 6.4.4.4-4.2.3.0 release. 802.1X Supplicant Configuration Support for Wired Networks In Instant 6.4.4.4-4.2.3.0, you can provision an IAPs as an 802.1X supplicant for networks where all wired devices are required to authenticate using PEAP or TLS protocol. If the ports, to which the IAPs are connected, are configured to use the 802.1X authentication method, ensure that you configure the IAPs to function as an 802.1X client or supplicant and configure the 802.1X authentication type on the uplink ports on the IAP. To enable the 802.1X supplicant support, ensure that the 802.1X authentication parameters are configured on all IAPs in the cluster. The 802.1X supplicant feature is not supported with mesh and Wi-Fi uplink. This feature is also not supported on IAP-104/105, IAP-175, RAP-3WN, and IAP-134/135. Enabling 802.1X Supplicant Support in the Aruba Instant 6.4.4.4-4.2.3.0 User Guide. The ap1x, ap1x-peap-user, show ap1x, show ap1x, show ap1xcert commands in the Aruba Instant 6.4.4.4-4.2.3.0 CLI Reference Guide. BLE Beacon Management In Instant 6.4.4.4-4.2.3.0, IAPs support Aruba Bluetooth Low Energy (BLE) devices, such as BT-100 and BT- 105, which are used for location tracking and proximity detection. The BLE devices connected to aniap can be monitored or managed by a cloud based Beacon Management Console (BMC). The BLE beacon management feature allows you to configure parameters for managing the BLE beacons and establishing secure communication with the Beacon Management Console (BMC). You can also configure the BLE operation modes that determine the functions of the built-in BLE chip in the IAP. The BLE beacon management and BLE operation mode feature is supported only on IAP-324/325, IAP- 21x/215, and IAP-224/225 devices. Managing BLE Beacons in e Aruba Instant 6.4.4.4-4.2.3.0 User Guide The ble config and show ble-config commands in the Aruba Instant 6.4.4.4-4.2.3.0 CLI Reference Guide. Out of Service Operations In Instant 6.4.4.4-4.2.3.0, you can enable or disable an SSID when the VPN, uplink, primary uplink, or Internet connection is down. You can configure an SSID profile to enable or disable the SSID when an out-of-service state is detected on the IAP. For example, if you select the VPN down option from the drop-down list and set the status to enabled, the SSID is enabled when the VPN connection is down and is disabled when the VPN connection is restored. Aruba Instant 6.4.4.4-4.2.3.2 Release Notes Features and Enhancements in Previous Releases 8
If you select the Internet-down to enable or disable the SSID based on Internet availabilty, you can configure the IP address to which the master IAP can send the ICMP packets to verify if the Internet is reachable. By default, the master IAP sends ICMP packets to the 8.8.8.8 IP address. Configuring WLAN Settings for an SSID Profile and Switching Uplinks Based on VPN and Internet Availability in Aruba Instant6.4.4.4-4.2.3.0 User Guide The wlan ssid-profile and uplink commands in the Aruba Instant 6.4.4.4-4.2.3.0 CLI Reference Guide. Dynamic DNS Registration Support Starting from Instant 6.4.4.4-4.2.3.0, support for dynamically updating DNS records of the IAP and its clients on to the DNS server has been included. You can also configure dynamic dns when creating Distributed, L3 DHCP scopes and send DNS updates periodically to the DNS server. Dynamic DNS Registration in Aruba Instant6.4.4.4-4.2.3.0 User Guide. dynamic-dns-ap, dynamic-dns-interval, dynamic-dns, show ddns, ip dhcp commands in the Aruba Instant 6.4.4.4-4.2.3.0 CLI Reference Guide. This feature is not supported on IAP-104/105, IAP-175, RAP-3WN, and IAP-134/135. Support for Client Match Feature on IAP-324/325 platforms Starting from Instant 6.4.4.4-4.2.3.0, client match is supported on the IAP-324/325 platforms. Configure-Only Mode in AMP The latest version of AirWave includes a new option which sets the IAP in the config-only mode. IAP will receive the firmware upgrades and configurations, but will not send any statistics for monitoring. IAP and Client Monitoring in Aruba Instant6.4.4.4-4.2.3.0 User Guide. Support for Full URL Visibility and AppRF Enhancements Instant now supports the extraction of full URL from the http or https sessions and periodically logs them on the ALE server. Instant 6.4.4.4-4.2.3.0 also supports displaying the list of blocked and allowed DPI and Web Content URLs and session count. The application DPI and Web Content graphs can now be viewed individually. Deep Packet Inspection and Application Visibility in Aruba Instant 6.4.4.4-4.2.3.0 User Guide. url-visibility, show url-visibility, and show dpi-stats in the Aruba Instant 6.4.4.4-4.2.3.0 CLI Reference Guide. Static LACP Configuration Support Starting from Instant 6.4.4.4-4.2.3.0, new options are introduced to support the static LACP feature. You can enable, disable, and remove the static LACP configuration on the IAP. 9 Features and Enhancements in Previous Releases Aruba Instant 6.4.4.4-4.2.3.2 Release Notes
Sometimes, the LACP functionalities vary depending on the switches being used. This feature gets the entire static LACP mode work as expected. The static LACP mode is supported on IAP-225, IAP-325, and IAP-275 access points. Wired Profiles in the Aruba Instant 6.4.4.4-4.2.3.0 User Guide. lacp-mode and show ap-env commands in the Aruba Instant 6.4.4.4-4.2.3.0 CLI Reference Guide. Per-AP SSID and VLAN Starting from Instant 6.4.4.4-4.2.3.0, you can set the environment variables on a wireless profile. You can also configure the per-ap-ssid and per-ap-vlan settings for SSID and VLAN profiles respectively. Wireless Network Profiles in the Aruba Instant 6.4.4.4-4.2.3.0 User Guide. per-ap-ssid and per-ap-vlan commands on Aruba Instant 6.4.4.4-4.2.3.0 CLI Reference Guide. New Wired-Containment Knobs for NAT Rogue Starting from Instant 6.4.4.4-4.2.3.0, the wired-containment knobs can enable the protection of the wiredcontainment for NAT rogue. This feature can also identify and contain aniap with a preset wired MAC address that is different from the BSSID of the IAP if the MAC address that the IAP provides to wireless clients as the gateway MAC is balanced by one character from its wired MAC address. Enable this feature only when a specific containment is needed, in order to avoid a false alarm. Intrusion Detection in the Aruba Instant 6.4.4.4-4.2.3.0 User Guide. ids command in the Aruba Instant 6.4.4.4-4.2.3.0 CLI Reference Guide. Configuring Maximum Clients for Radio Profiles Starting from Instant 6.4.4.4-4.2.3.0, a new per-ap setting has been included to adjust the maximum number of clients that can connect to 2.4 GHz and 5 GHz radio profiles. This option can be configured only via the Instant CLI. a-max-clients and g-max-clients command pages in the Aruba Instant 6.4.4.4-4.2.3.0 CLI Reference Guide. Configuring a Custom Port for Speed Test Profiles Instant 6.4.4.4-4.2.3.0 release now allows you to configure a custom server port as part of the speed test profile configuration. Uplink Bandwidth Monitoring in Aruba Instant 6.4.4.4-4.2.3.0 User Guide. speed-test command page in the Aruba Instant 6.4.4.4-4.2.2.3.0 CLI Reference Guide. Aruba Instant 6.4.4.4-4.2.3.2 Release Notes Features and Enhancements in Previous Releases 10
Chapter 5 Issues Resolved In Previous Releases This chapter describes the issues fixed in previous Aruba Instant 6.4.4.x-4.2.3.x releases. Issues Resolved in 6.4.4.4-4.2.3.1 The following issues are fixed in the Instant 6.4.4.4-4.2.3.1 release: Authentication Table 3: Authentication Fixed Issue 136240 Symptom: Accounting packets were being sent to the Radius server even after the Radius server was down due to an authentication timeout. The issue is resolved by unifying the authentication and accounting status of servers. Scenario: This issue was observed in all IAPs running Instant 6.4.2.0-4.1.1.0 and later versions. Captive Portal Table 4: Captive Portal Fixed Issue 133642 Symptom: Clients connected to aniap were unable to access Captive Portal. This issue is resolved by performing a check to ensure that the data in the socket is valid. Scenario: This issue occurred when the clients connected to aniap did not receive a response from the HTTP server, since Tinyproxy was blocked. This issue was not limited to a specific IAP model or software version. Datapath/Firewall Table 5: Datapath/Firewall Fixed Issues 138430 Symptom: Clients on an uplink of standalone IAPs using the VPN gateway functionality were unable to connect to the resources behind the VPN tunnel. The fix ensures that clients can connect to resources behind the VPN tunnel using the IAP as the VPN gateway. Scenario: This issue was observed in all IAPs running Instant 6.4.4.4-4.2.3.0 version. Wi-Fi driver Table 6: Wi-Fi driver Fixed Issue 137910 Symptom: The interval segment of a Beacon frame was zero on an SSID configuration of an IAP. The fix ensures that the value of the interval segment of the Beacon frame is displayed in correct sequence. Scenario: This issue was observed in IAP-325 devices running Instant 6.4.4.4-4.2.3.0 version. Aruba Instant 6.4.4.4-4.2.3.2 Release Notes Issues Resolved In Previous Releases 11
Issues Resolved in 6.4.4.4-4.2.3.0 The following issues are fixed in the Instant 6.4.4.4-4.2.3.0 release: ARM Table 7: ARM Fixed Issue 134305 Symptom: AnIAP-205 access point crashed with a fatal exception due to kernel panic. The fix ensures that the IAP does not crash when the wide channel band is disabled. Scenario: This issue occurred when the 80 MHz support is enabled and wide channel band is disabled in the ARM configuration. This issue was observed in IAP-205 access points running Instant 6.4.3.4-4.2.1.2 release and later versions. Authentication Table 8: Authentication Fixed Issue 131941 Symptom: Client devices operating on IOS 9 software or a higher version, were unable to get an IP address from the assigned VLAN when termination was enabled on the IAP and a VLAN derivation rule was configured. The fix ensures that the client devices receive an IP address from the assigned VLAN. Scenario: This issue was observed in all IAPs running Instant 6.4.3.4-4.2.1.0 release and later versions. Captive Portal Table 9: Captive Portal Fixed Issue 135837 Symptom: IAP-205 access points were generating Tinyproxy error messages when the clients were connecting to a guest SSID using Captive Portal. This issue is resolved by changing the debugging level of the logs. Scenario: This issue occurred due to the high volume of error logs generated and was observed in IAP-205 access points running Instant 6.4.3.4-4.2.1.0 release and later versions. 12 Issues Resolved In Previous Releases Aruba Instant 6.4.4.4-4.2.3.2 Release Notes
Datapath/Firewall Table 10: Datapath/Firewall Fixed Issues 122754 Symptom: The disconnect-user command failed to clear all the user details from the Virtual Controller or IAP. As a result, a new client was unable to re-use the same IP address. The fix ensures that the previous user details are cleared and the new client is able to re-use the same IP address. Scenario: The L3 user entry was not cleared when the disconnect-user command was executed. This issue was observed in all IAPs running Instant 6.4.3.1-4.2.0.0 release and later versions. 130729 Symptom: PXE clients connected to the wired port of aniap were not getting an IP address. This issue is resovled by making a change in the code. Scenario: This issue was observed in clients with a Bcast bit set and was not limited to a specific IAP model or software version. 132867 Symptom: Wireless clients were unable to ping to the IAP when the uplink-vlan tag and the ssid vlan were configured with the same values. This issue is resolved by making a change in the IAP code. Scenario: This issue was not limited to a specific IAP model or software version. DHCP Server Table 11: DHCP Server Fixed Issues 131394 Symptom: The Option 82 relay information was not excluded from the DHCP OFFER and ACK packets before they were sent to the client. The fix ensures that the Option 82 relay information is removed from the DHCP OFFER and ACK packets. Scenario: This issue occurred when the Option 82 relay information was enabled on the IAP L2 Centralized Local DHCP server and was observed in all IAPs running Instant 6.4.3.4-4.2.1.0 release. 131944 Symptom: DNS server settings were not displayed on the guest VLAN when the IAP was rebooted. This issue is resolved by making a change in the IAP code. Scenario: The dnsip setting was configured manually and different from the IAPs own DNS setting. This issue was observed in all IAPs running running Instant 6.4.3.4-4.2.1.0 release and later versions. IAP Platform Table 12: IAP Platform Fixed Issue 128188 Symptom: IAP-205 access points crashed and rebooted reporting that the memory space was full. This issue is resolved by making a change in the IAP code. Scenario: This issue was observed in IAP-205 access points running Instant 6.4.3.4-4.2.1.0 release and later versions. Aruba Instant 6.4.4.4-4.2.3.2 Release Notes Issues Resolved In Previous Releases 13
Mesh Table 13: Mesh Fixed Issue 125922 Symptom: Third party switches connected to the Mesh Portal were generating inconsistent VLAN messages, when the mesh point was rebooted. The fix ensures that the mesh point does not receive any untagged PVST+ packets that were causing this issue. Scenario: The mesh point was receiving untagged PVST+ packets amidst the tagged PVST+ packets resulting in the third party switch generating inconsistent VLAN messages. This issue was observed in all IAPs running Instant 6.4.4.4-4.2.3.0 release and earlier versions. STM Table 14: STM Fixed Issue 131706 Symptom: IAP clients were unable to get an IP address from the assigned VLAN, when a VLAN derivation rule was configured. The fix ensures that the IAP clients receive an IP address from the assigned VLAN. Scenario: This issue occurred when the attributes were configured based on the AP-Name and AP- Group and was observed in all IAPs running Instant 6.4.3.1-4.2.0.0 release and later versions. 3G/4G Management Table 15: 3G/4G Management Fixed Issue 126248 Symptom: IAP devices were taking about 50 minutes to failover to the Cellular uplink when the Ethernet uplink went down. This issue is resolved by making a change in the IAP code. Scenario: This issue was observed in all IAPs running Instant 6.4.3.1-4.2.0.0 release and later versions. 14 Issues Resolved In Previous Releases Aruba Instant 6.4.4.4-4.2.3.2 Release Notes